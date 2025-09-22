Welcome to Cyber Frontlines, your inside look at the IBM experts helping shape the future of cybersecurity. In this installment, meet Brett Hawkins, a leader on the IBM X-Force Red Team who currently works to understand the vulnerabilities of the systems organizations use to develop and deploy machine learning (ML) models as adversarial AI emerges as a critical threat vector. In the Q&A below, Brett shares why MLOps systems are the next battleground, how his team is stress-testing AI pipelines and what organizations need to do now to outpace attackers in an AI-driven world.
Stay up-to-date on Brett’s work on LinkedIn.
My sophomore year in college, I was in the computer science program and looking at internships. There was a big company nearby, the J.M. Smucker Company, that was interviewing for IT roles. I assumed I’d end up in software development, but one of the interviews was with someone in IT security. That was the conversation I enjoyed the most, and it turned out to be the best fit. I got hired as an IT security intern and ended up working there for a couple years. That’s really how I got my start in cybersecurity. I hadn’t thought much about it before then, but once I landed that internship, it was full steam ahead.
I came to X-Force because I wanted to specialize in red team assessments—simulating real-world cyberattacks to test organizations’ security defenses and identify vulnerabilities—and do more security research. Now, I’ve been here almost five years and enjoy helping our clients better understand security threats.
Primarily, I lead adversary simulation engagements for clients. Organizations hire us to break in and demonstrate impact—what we call objectives. That could mean gaining access to sensitive data or a critical system, essentially their crown jewels. Outside of that, I work on and publish security research. I’ve spoken at the Black Hat conference several times, published white papers and written blog posts for IBM. I also help with team initiatives to improve how we deliver client engagements.
In 2020, the SolarWinds hack really shook the industry. It was a massive software supply chain attack, and it made clear that we needed to focus more on how DevOps could be attacked and defended. From 2020 through 2023, I did a lot of research in that area and presented at Black Hat USA and Europe.
By 2024, though, AI and machine learning were becoming much more central. Organizations were building custom models for products and services, things like driver assistance systems in cars. I started asking: how are these models being developed and deployed, and what systems support them? Because those systems are the next thing attackers will target.
Imagine a widespread model supply chain attack, where poisoned models impact organizations all over the world. That’s why I shifted to MLOps, focusing on the systems used to develop and deploy machine learning models.
My prior DevOps research has helped, because the two areas are often connected. A lot of organizations use DevOps to support MLOps, so there’s interoperability. Over the last year and a half, I’ve really focused on MLOps—publishing a white paper, blog posts and with [IBM X-Force’s] Chris Thompson teaching the first Black Hat training course on attacking and defending MLOps systems.
The speed at which machine learning—I mean, the whole industry—is moving means companies are under pressure to develop and deploy models quickly to keep up with competition. Because of that speed to market, security can easily become an afterthought. Since AI and machine learning are still relatively new fields for many companies, that only makes securing those tools and solutions even harder. So, we’re trying to help organizations get—and stay—ahead of those issues.
Of course—the basics, surprisingly. Even in our recent adversary simulation engagements, we still find things like cleartext credentials in file shares, SharePoint or source code repositories. While newer attack surfaces like MLOps deserve attention, many organizations still have gaps in foundational security practices.
Presenting at Black Hat Europe in London was memorable—it was my first time in Europe. More recently, I spoke at the Troopers conference in Germany, which is a very well-known technical event. That was another highlight.
But my very first talk was at a local BSides conference, and I’ll always remember that one. I was doing blue team work then—focused on defensive cybersecurity activities like monitoring, detecting and responding to threats—and presented a tool I built to help detect ransomware on Windows systems. I called it the “Crypto Ransomware Response Toolkit”, or some variation of that, and that was my start in public speaking.
Microsoft Azure. It’s everywhere. Pretty much every environment we assess has Active Directory and Azure in some form. That means there are always services we can explore or attack.
In 2023, I focused on Azure DevOps. More recently, I’ve been working with Azure ML, since it’s so common in MLOps environments. Azure is so prevalent worldwide that if you research its services, you’re bound to make an impact.
First, get familiar with artificial intelligence and machine learning. Play around with large language models, tools like OpenAI or Anthropic’s Claude, and understand how they work.
Second, learn how to code in multiple languages. Even if you’re not coding every day, being able to understand code is a huge advantage. For example, if you’re a Security Operations Center (SOC) analyst and you get hold of malware, you’ll need to analyze it. Knowing how to read code is invaluable.
If I had to pick just one recommendation, it would be to enable multi-factor authentication (MFA) on everything possible. This control can significantly inhibit an attacker from making progress with compromised credentials.
Keep an eye on attack vectors against the systems that are responsible for developing and deploying ML models (MLOps systems) and for attacks against agentic AI systems. It is very early days for research on these topics, so I anticipate there will be a lot of new attack vectors discovered in the coming years.
